HardcodedIVCNG (Windows Driver CodeQL Query)
Overview
An initialization vector (IV) is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom (randomized scheme), but sometimes an IV only needs to be unpredictable or unique (stateful scheme).
Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message.
Recommendation
All symmetric block ciphers must also be used with an appropriate initialization vector (IV) according to the mode of operation being used.
If using a randomized scheme such as CBC, it is recommended to use cryptographically secure pseudorandom number generator such as BCryptGenRandom.
Additional Details
This query can be found in the Microsoft GitHub CodeQL repository. See the CodeQL and the Static Tools Logo Test page for details on how Windows Driver developers can download and run CodeQL.
Additional References:
Geri Bildirim
Çok yakında: 2024 boyunca, içerik için geri bildirim mekanizması olarak GitHub Sorunları’nı kullanımdan kaldıracak ve yeni bir geri bildirim sistemiyle değiştireceğiz. Daha fazla bilgi için bkz. https://aka.ms/ContentUserFeedback.
Gönderin ve geri bildirimi görüntüleyin